Changes in branches/3.6/wp-includes/functions.php [24918:25345]

File:

• branches/3.6/wp-includes/functions.php (modified) (7 diffs)

branches/3.6/wp-includes/functions.php

@@ -243 +243 @@
  *
  * @param mixed $data Value to check to see if was serialized.
+ * @param bool $strict Optional. Whether to be strict about the end of the string. Defaults true.
  * @return bool False if not serialized and true if it was.
  */
-function is_serialized( $data ) {
+function is_serialized( $data, $strict = true ) {
     // if it isn't a string, it isn't serialized
     if ( ! is_string( $data ) )
@@ -257 +258 @@
     if ( ':' !== $data[1] )
         return false;
-    $lastc = $data[$length-1];
-    if ( ';' !== $lastc && '}' !== $lastc )
-        return false;
+    if ( $strict ) {
+        $lastc = $data[ $length - 1 ];
+        if ( ';' !== $lastc && '}' !== $lastc )
+            return false;
+    } else {
+        $semicolon = strpos( $data, ';' );
+        $brace     = strpos( $data, '}' );
+        // Either ; or } must exist.
+        if ( false === $semicolon && false === $brace )
+            return false;
+        // But neither must be in the first X characters.
+        if ( false !== $semicolon && $semicolon < 3 )
+            return false;
+        if ( false !== $brace && $brace < 4 )
+            return false;
+    }
     $token = $data[0];
     switch ( $token ) {
         case 's' :
-            if ( '"' !== $data[$length-2] )
+            if ( $strict ) {
+                if ( '"' !== $data[ $length - 2 ] )
+                    return false;
+            } elseif ( false === strpos( $data, '"' ) ) {
                 return false;
+            }
         case 'a' :
         case 'O' :
@@ -271 +289 @@
         case 'i' :
         case 'd' :
-            return (bool) preg_match( "/^{$token}:[0-9.E-]+;\$/", $data );
+            $end = $strict ? '$' : '';
+            return (bool) preg_match( "/^{$token}:[0-9.E-]+;$end/", $data );
     }
     return false;
@@ -318 +337 @@
     // Double serialization is required for backward compatibility.
     // See http://core.trac.wordpress.org/ticket/12930
-    if ( is_serialized( $data ) )
+    if ( is_serialized( $data, false ) )
         return serialize( $data );
 
@@ -1284 +1303 @@
 
     if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) )
-        return wp_unslash( $ref );
+        return wp_validate_redirect( $ref, false );
     return false;
 }
@@ -1299 +1318 @@
 function wp_get_original_referer() {
     if ( !empty( $_REQUEST['_wp_original_http_referer'] ) )
-        return wp_unslash( $_REQUEST['_wp_original_http_referer'] );
+        return wp_validate_redirect( wp_unslash( $_REQUEST['_wp_original_http_referer'] ), false );
     return false;
 }
@@ -2007 +2026 @@
  * @uses wp_get_upload_mime_types() to fetch the list of mime types
  *
+ * @param int|WP_User $user Optional. User to check. Defaults to current user.
  * @return array Array of mime types keyed by the file extension regex corresponding to those types.
  */
-function get_allowed_mime_types() {
-    return apply_filters( 'upload_mimes', wp_get_mime_types() );
+function get_allowed_mime_types( $user = null ) {
+    $t = wp_get_mime_types();
+
+    unset( $t['swf'], $t['exe'] );
+    if ( function_exists( 'current_user_can' ) )
+        $unfiltered = $user ? user_can( $user, 'unfiltered_html' ) : current_user_can( 'unfiltered_html' );
+
+    if ( empty( $unfiltered ) )
+        unset( $t['htm|html'] );
+
+    return apply_filters( 'upload_mimes', $t, $user );
 }